SECURITY: password&username(email) in php file.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
thosecars82
Forum Commoner
Posts: 94
Joined: Thu Apr 03, 2008 6:31 am
Location: Arganda, Madrid
Contact:

SECURITY: password&username(email) in php file.

Post by thosecars82 »

Hello there
Question
I have just tested successfully the PEAR Mail package from http://email.about.com/od/emailprogramm ... 073006.htm to send an email.
Nevertheless, before uploading any code like this to a public server I would like to know the risks of putting there my php file. To let you understand my concerns, you have to consider that this php file would contain a password and a username from an email which would be used to send emails. I am wondering whether puting a php file like this in a web server is secure or not. What should be done in this kind of cases? On the other hand there might be some way, which I am not aware of, to establish some protection for the password and username from this php file.

The code is the following one with some modifications for filling of the fields:
$from, $to, .... , $username, $password as you can see here:

Code: Select all

<?php
require_once "Mail.php";
 
$from = "Sandra Sender <sender@example.com>";
$to = "Ramona Recipient <recipient@example.com>";
$subject = "Hi!";
$body = "Hi,\n\nHow are you?";
 
$host = "ssl://mail.example.com";
$port = "465";
$username = "smtp_username";
$password = "smtp_password";
 
$headers = array ('From' => $from,
  'To' => $to,
  'Subject' => $subject);
$smtp = Mail::factory('smtp',
  array ('host' => $host,
    'port' => $port,
    'auth' => true,
    'username' => $username,
    'password' => $password));
 
$mail = $smtp->send($to, $headers, $body);
 
if (PEAR::isError($mail)) {
  echo("<p>" . $mail->getMessage() . "</p>");
 } else {
  echo("<p>Message successfully sent!</p>");
 }
?>
I would appreciate that you told me what you know about issue. Can I just upload the php filewith the password and username written on it? is it crazy? or on the contrary, is there any measure I must take to protect the password and username which would be written in this php file?
Thanks in advance
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: SECURITY: password&username(email) in php file.

Post by John Cartwright »

Anything sensitive should never be put inside the web root. However, 99.99% of the time it is okay to include passwords in php files since the source is only ever exposed when

1) Someone has gained access to your server and manually reads the file contents (your screwed anyways if they gained access)
2) The php intepreter goes down (very unlikely but possible)

Generally speaking, your fine.
thosecars82
Forum Commoner
Posts: 94
Joined: Thu Apr 03, 2008 6:31 am
Location: Arganda, Madrid
Contact:

Re: SECURITY: password&username(email) in php file.

Post by thosecars82 »

Jcart wrote:Anything sensitive should never be put inside the web root. However, 99.99% of the time it is okay to include passwords in php files since the source is only ever exposed when

1) Someone has gained access to your server and manually reads the file contents (your screwed anyways if they gained access)
2) The php intepreter goes down (very unlikely but possible)

Generally speaking, your fine.
What other places to store this password and username do you suggest to avoid the possibility of a php file not being parsed? I just came up with these choices:
1. - taking this data from a database which I could add to my site
2.- taking this data from a file which might be positioned in a non accessible directory of my site. Would this second option be possible?
I look forward again for your opinion about these last ideas.
Thanks for your comments.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: SECURITY: password&username(email) in php file.

Post by John Cartwright »

thosecars82 wrote:
Jcart wrote:Anything sensitive should never be put inside the web root. However, 99.99% of the time it is okay to include passwords in php files since the source is only ever exposed when

1) Someone has gained access to your server and manually reads the file contents (your screwed anyways if they gained access)
2) The php intepreter goes down (very unlikely but possible)

Generally speaking, your fine.
What other places to store this password and username do you suggest to avoid the possibility of a php file not being parsed? I just came up with these choices:
1. - taking this data from a database which I could add to my site
2.- taking this data from a file which might be positioned in a non accessible directory of my site. Would this second option be possible?
I look forward again for your opinion about these last ideas.
Thanks for your comments.
We'll #1 is kind of pointless because at some point we need a login for the database as well to even connect to it.

#2 was kind of what I was getting at, by placing a password file outside of the webroot nobody will be able to directly access this file.
thosecars82
Forum Commoner
Posts: 94
Joined: Thu Apr 03, 2008 6:31 am
Location: Arganda, Madrid
Contact:

Re: SECURITY: password&username(email) in php file.

Post by thosecars82 »

Jcart wrote:
thosecars82 wrote:
Jcart wrote:Anything sensitive should never be put inside the web root. However, 99.99% of the time it is okay to include passwords in php files since the source is only ever exposed when

1) Someone has gained access to your server and manually reads the file contents (your screwed anyways if they gained access)
2) The php intepreter goes down (very unlikely but possible)

Generally speaking, your fine.
What other places to store this password and username do you suggest to avoid the possibility of a php file not being parsed? I just came up with these choices:
1. - taking this data from a database which I could add to my site
2.- taking this data from a file which might be positioned in a non accessible directory of my site. Would this second option be possible?
I look forward again for your opinion about these last ideas.
Thanks for your comments.
We'll #1 is kind of pointless because at some point we need a login for the database as well to even connect to it.

#2 was kind of what I was getting at, by placing a password file outside of the webroot nobody will be able to directly access this file.
Thanks and solved. Does anyone know how to mark this thread as solved? Where is the button to mark it?
Post Reply